It was an account we were hosting. They had uploaded a proxy server named httpd.cgi into their /cgi-bin which was being used to send out spam whose headers said it came from our server but which was not recorded in the exim mail logs.

Anybody still having this problem should look through your accounts for proxy servers. I went to SpamCop to check the date of the first spam report, and then started by looking at accounts opened shortly before that. This narrowed down the search and let me find him quickly.

I was just coming over to post this very thing. While I will not put the users personal details here, I will make them available to anyone who makes a request by emailing me. Anything that can be done to stop these clowns, I'm willing to do. I just got it figured out a couple of hours ago, and the spammer has long since been deleted.

Great news! Hopefully this thread will help the next host who runs into this.

By the way, SpamCop showed me the headers on the spam. There were a few distinctive things, like a server name of localhost.localhost and the same return address at yahoo.it. Turns out he had a template e-mail in the same directory with this information in it. So another quick way to locate the offending account would have been: